Thu Feb 8 19:58:05 2018 UTC ()
Remove the IN6_IS_ADDR_V4MAPPED checks in the protocol functions. They
are useless, because the IPv6 entry point (ip6_input) already performs
them.

The checks were first added in the protocol functions:

	Wed Dec 22 04:03:02 1999 UTC (18 years, 1 month ago) by itojun

"drop IPv6 packets with v4 mapped address on src/dst.  they are illegal
and may be used to fool IPv6 implementations (by using ::ffff:127.0.0.1 as
source you may be able to pretend the packet is from local node)"

Shortly afterwards they were also added in the IPv6 entry point, but
where not removed from the protocol functions:

	Mon Jan 31 10:33:22 2000 UTC (18 years ago) by itojun

"be proactive about malicious packet on the wire.  we fear that v4 mapped
address to be used as a tool to hose security filters (like bypassing
"local host only" filter by using ::ffff:127.0.0.1)."

OpenBSD did the same a few months ago. FreeBSD has never had these checks.


(maxv)
diff -r1.368 -r1.369 src/sys/netinet/tcp_input.c
diff -r1.161 -r1.162 src/sys/netinet6/raw_ip6.c
diff -r1.133 -r1.134 src/sys/netinet6/udp6_usrreq.c
cvs diff -r1.368 -r1.369 src/sys/netinet/tcp_input.c (expand / switch to unified diff)

--- src/sys/netinet/tcp_input.c 2018/02/08 19:38:21 1.368
+++ src/sys/netinet/tcp_input.c 2018/02/08 19:58:05 1.369
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $ */ 1/* $NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $ */
2 2
3/* 3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -138,27 +138,27 @@ @@ -138,27 +138,27 @@
138 */ 138 */
139 139
140/* 140/*
141 * TODO list for SYN cache stuff: 141 * TODO list for SYN cache stuff:
142 * 142 *
143 * Find room for a "state" field, which is needed to keep a 143 * Find room for a "state" field, which is needed to keep a
144 * compressed state for TIME_WAIT TCBs. It's been noted already 144 * compressed state for TIME_WAIT TCBs. It's been noted already
145 * that this is fairly important for very high-volume web and 145 * that this is fairly important for very high-volume web and
146 * mail servers, which use a large number of short-lived 146 * mail servers, which use a large number of short-lived
147 * connections. 147 * connections.
148 */ 148 */
149 149
150#include <sys/cdefs.h> 150#include <sys/cdefs.h>
151__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.368 2018/02/08 19:38:21 maxv Exp $"); 151__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.369 2018/02/08 19:58:05 maxv Exp $");
152 152
153#ifdef _KERNEL_OPT 153#ifdef _KERNEL_OPT
154#include "opt_inet.h" 154#include "opt_inet.h"
155#include "opt_ipsec.h" 155#include "opt_ipsec.h"
156#include "opt_inet_csum.h" 156#include "opt_inet_csum.h"
157#include "opt_tcp_debug.h" 157#include "opt_tcp_debug.h"
158#endif 158#endif
159 159
160#include <sys/param.h> 160#include <sys/param.h>
161#include <sys/systm.h> 161#include <sys/systm.h>
162#include <sys/malloc.h> 162#include <sys/malloc.h>
163#include <sys/mbuf.h> 163#include <sys/mbuf.h>
164#include <sys/protosw.h> 164#include <sys/protosw.h>
@@ -1302,33 +1302,26 @@ tcp_input(struct mbuf *m, ...) @@ -1302,33 +1302,26 @@ tcp_input(struct mbuf *m, ...)
1302#ifdef INET6 1302#ifdef INET6
1303 case 6: 1303 case 6:
1304 ip = NULL; 1304 ip = NULL;
1305 iphlen = sizeof(struct ip6_hdr); 1305 iphlen = sizeof(struct ip6_hdr);
1306 af = AF_INET6; 1306 af = AF_INET6;
1307 ip6 = mtod(m, struct ip6_hdr *); 1307 ip6 = mtod(m, struct ip6_hdr *);
1308 IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, 1308 IP6_EXTHDR_GET(th, struct tcphdr *, m, toff,
1309 sizeof(struct tcphdr)); 1309 sizeof(struct tcphdr));
1310 if (th == NULL) { 1310 if (th == NULL) {
1311 TCP_STATINC(TCP_STAT_RCVSHORT); 1311 TCP_STATINC(TCP_STAT_RCVSHORT);
1312 return; 1312 return;
1313 } 1313 }
1314 1314
1315 /* Be proactive about malicious use of IPv4 mapped address */ 
1316 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 
1317 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 
1318 /* XXX stat */ 
1319 goto drop; 
1320 } 
1321 
1322 /* 1315 /*
1323 * Be proactive about unspecified IPv6 address in source. 1316 * Be proactive about unspecified IPv6 address in source.
1324 * As we use all-zero to indicate unbounded/unconnected pcb, 1317 * As we use all-zero to indicate unbounded/unconnected pcb,
1325 * unspecified IPv6 address can be used to confuse us. 1318 * unspecified IPv6 address can be used to confuse us.
1326 * 1319 *
1327 * Note that packets with unspecified IPv6 destination is 1320 * Note that packets with unspecified IPv6 destination is
1328 * already dropped in ip6_input. 1321 * already dropped in ip6_input.
1329 */ 1322 */
1330 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { 1323 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
1331 /* XXX stat */ 1324 /* XXX stat */
1332 goto drop; 1325 goto drop;
1333 } 1326 }
1334 1327
cvs diff -r1.161 -r1.162 src/sys/netinet6/raw_ip6.c (expand / switch to unified diff)

--- src/sys/netinet6/raw_ip6.c 2018/02/01 15:53:16 1.161
+++ src/sys/netinet6/raw_ip6.c 2018/02/08 19:58:05 1.162
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $ */ 1/* $NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $ */
2/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ 2/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
3 3
4/* 4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
10 * are met: 10 * are met:
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright 13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the 14 * notice, this list of conditions and the following disclaimer in the
@@ -52,27 +52,27 @@ @@ -52,27 +52,27 @@
52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
59 * SUCH DAMAGE. 59 * SUCH DAMAGE.
60 * 60 *
61 * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 61 * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94
62 */ 62 */
63 63
64#include <sys/cdefs.h> 64#include <sys/cdefs.h>
65__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.161 2018/02/01 15:53:16 maxv Exp $"); 65__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $");
66 66
67#ifdef _KERNEL_OPT 67#ifdef _KERNEL_OPT
68#include "opt_ipsec.h" 68#include "opt_ipsec.h"
69#include "opt_net_mpsafe.h" 69#include "opt_net_mpsafe.h"
70#endif 70#endif
71 71
72#include <sys/param.h> 72#include <sys/param.h>
73#include <sys/sysctl.h> 73#include <sys/sysctl.h>
74#include <sys/mbuf.h> 74#include <sys/mbuf.h>
75#include <sys/socket.h> 75#include <sys/socket.h>
76#include <sys/protosw.h> 76#include <sys/protosw.h>
77#include <sys/socketvar.h> 77#include <sys/socketvar.h>
78#include <sys/systm.h> 78#include <sys/systm.h>
@@ -152,34 +152,26 @@ rip6_input(struct mbuf **mp, int *offp,  @@ -152,34 +152,26 @@ rip6_input(struct mbuf **mp, int *offp,
152 struct sockaddr_in6 rip6src; 152 struct sockaddr_in6 rip6src;
153 struct mbuf *opts = NULL; 153 struct mbuf *opts = NULL;
154 154
155 RIP6_STATINC(RIP6_STAT_IPACKETS); 155 RIP6_STATINC(RIP6_STAT_IPACKETS);
156 156
157#if defined(NFAITH) && 0 < NFAITH 157#if defined(NFAITH) && 0 < NFAITH
158 if (faithprefix(&ip6->ip6_dst)) { 158 if (faithprefix(&ip6->ip6_dst)) {
159 /* send icmp6 host unreach? */ 159 /* send icmp6 host unreach? */
160 m_freem(m); 160 m_freem(m);
161 return IPPROTO_DONE; 161 return IPPROTO_DONE;
162 } 162 }
163#endif 163#endif
164 164
165 /* Be proactive about malicious use of IPv4 mapped address */ 
166 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 
167 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 
168 /* XXX stat */ 
169 m_freem(m); 
170 return IPPROTO_DONE; 
171 } 
172 
173 sockaddr_in6_init(&rip6src, &ip6->ip6_src, 0, 0, 0); 165 sockaddr_in6_init(&rip6src, &ip6->ip6_src, 0, 0, 0);
174 if (sa6_recoverscope(&rip6src) != 0) { 166 if (sa6_recoverscope(&rip6src) != 0) {
175 /* XXX: should be impossible. */ 167 /* XXX: should be impossible. */
176 m_freem(m); 168 m_freem(m);
177 return IPPROTO_DONE; 169 return IPPROTO_DONE;
178 } 170 }
179 171
180 TAILQ_FOREACH(inph, &raw6cbtable.inpt_queue, inph_queue) { 172 TAILQ_FOREACH(inph, &raw6cbtable.inpt_queue, inph_queue) {
181 in6p = (struct in6pcb *)inph; 173 in6p = (struct in6pcb *)inph;
182 if (in6p->in6p_af != AF_INET6) 174 if (in6p->in6p_af != AF_INET6)
183 continue; 175 continue;
184 if (in6p->in6p_ip6.ip6_nxt && 176 if (in6p->in6p_ip6.ip6_nxt &&
185 in6p->in6p_ip6.ip6_nxt != proto) 177 in6p->in6p_ip6.ip6_nxt != proto)
cvs diff -r1.133 -r1.134 src/sys/netinet6/udp6_usrreq.c (expand / switch to unified diff)

--- src/sys/netinet6/udp6_usrreq.c 2018/02/08 11:49:37 1.133
+++ src/sys/netinet6/udp6_usrreq.c 2018/02/08 19:58:05 1.134
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $ */ 1/* $NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $ */
2/* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */ 2/* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */
3/* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ 3/* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -53,27 +53,27 @@ @@ -53,27 +53,27 @@
53 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
54 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
55 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
56 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
59 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
60 * SUCH DAMAGE. 60 * SUCH DAMAGE.
61 * 61 *
62 * @(#)udp_var.h 8.1 (Berkeley) 6/10/93 62 * @(#)udp_var.h 8.1 (Berkeley) 6/10/93
63 */ 63 */
64 64
65#include <sys/cdefs.h> 65#include <sys/cdefs.h>
66__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.133 2018/02/08 11:49:37 maxv Exp $"); 66__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $");
67 67
68#ifdef _KERNEL_OPT 68#ifdef _KERNEL_OPT
69#include "opt_inet.h" 69#include "opt_inet.h"
70#include "opt_inet_csum.h" 70#include "opt_inet_csum.h"
71#include "opt_ipsec.h" 71#include "opt_ipsec.h"
72#include "opt_net_mpsafe.h" 72#include "opt_net_mpsafe.h"
73#endif 73#endif
74 74
75#include <sys/param.h> 75#include <sys/param.h>
76#include <sys/mbuf.h> 76#include <sys/mbuf.h>
77#include <sys/protosw.h> 77#include <sys/protosw.h>
78#include <sys/socket.h> 78#include <sys/socket.h>
79#include <sys/socketvar.h> 79#include <sys/socketvar.h>
@@ -602,33 +602,26 @@ udp6_input(struct mbuf **mp, int *offp,  @@ -602,33 +602,26 @@ udp6_input(struct mbuf **mp, int *offp,
602 */ 602 */
603 if (ulen == 0 && plen > 0xffff) 603 if (ulen == 0 && plen > 0xffff)
604 ulen = plen; 604 ulen = plen;
605 605
606 if (plen != ulen) { 606 if (plen != ulen) {
607 UDP6_STATINC(UDP6_STAT_BADLEN); 607 UDP6_STATINC(UDP6_STAT_BADLEN);
608 goto bad; 608 goto bad;
609 } 609 }
610 610
611 /* destination port of 0 is illegal, based on RFC768. */ 611 /* destination port of 0 is illegal, based on RFC768. */
612 if (uh->uh_dport == 0) 612 if (uh->uh_dport == 0)
613 goto bad; 613 goto bad;
614 614
615 /* Be proactive about malicious use of IPv4 mapped address */ 
616 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 
617 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 
618 /* XXX stat */ 
619 goto bad; 
620 } 
621 
622 /* 615 /*
623 * Checksum extended UDP header and data. Maybe skip checksum 616 * Checksum extended UDP header and data. Maybe skip checksum
624 * on loopback interfaces. 617 * on loopback interfaces.
625 */ 618 */
626 if (udp6_input_checksum(m, uh, off, ulen)) 619 if (udp6_input_checksum(m, uh, off, ulen))
627 goto bad; 620 goto bad;
628 621
629 /* 622 /*
630 * Construct source and dst sockaddrs. 623 * Construct source and dst sockaddrs.
631 */ 624 */
632 memset(&src, 0, sizeof(src)); 625 memset(&src, 0, sizeof(src));
633 src.sin6_family = AF_INET6; 626 src.sin6_family = AF_INET6;
634 src.sin6_len = sizeof(struct sockaddr_in6); 627 src.sin6_len = sizeof(struct sockaddr_in6);